Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis Log: Please help diagnose


  • This topic is locked This topic is locked
14 replies to this topic

#1 rabyrd

rabyrd

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:09:01 PM

Posted 13 December 2004 - 02:33 PM

Logfile of HijackThis v1.97.7
Scan saved at 12:01:05 PM, on 12/13/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\AvConsol.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thebac.org/mc/page.do
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thebac.org
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.mcafeehelp.com/
O1 - Hosts: com
O1 - Hosts: com
O1 - Hosts: .com
O1 - Hosts: .com
O1 - Hosts: .com
O1 - Hosts: .com
O1 - Hosts: d.com
O1 - Hosts: com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {55E301E5-BA44-4095-BB0B-14E0123CCF71} - C:\DOCUME~1\CRAIGC~1\LOCALS~1\Temp\spbil.dat (file missing)
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [*iiseula] C:\WINDOWS\Tasks\iiseula.exe
O4 - HKLM\..\Run: [*binmain] C:\WINDOWS\addins\binmain.exe
O4 - HKLM\..\Run: [*regac] C:\WINDOWS\system\regac.exe
O4 - HKLM\..\Run: [*sav] C:\WINDOWS\Fonts\sav.exe
O4 - HKLM\..\Run: [*mccab] C:\WINDOWS\Fonts\mccab.exe
O4 - HKLM\..\Run: [*antis] C:\WINDOWS\Fonts\antis.exe
O4 - HKLM\..\Run: [*dlldoc] C:\WINDOWS\AppPatch\dlldoc.exe
O4 - HKLM\..\Run: [*libps] C:\WINDOWS\security\logs\libps.exe
O4 - HKLM\..\Run: [*utilas] C:\WINDOWS\Fonts\utilas.exe
O4 - HKLM\..\Run: [*com] C:\WINDOWS\Fonts\com.exe
O4 - HKLM\..\Run: [*svrw] C:\WINDOWS\Registration\svrw.exe
O4 - HKLM\..\Run: [*iisip] C:\WINDOWS\msagent\chars\iisip.exe
O4 - HKLM\..\Run: [*logwave] C:\WINDOWS\Registration\logwave.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iiseula] C:\WINDOWS\Tasks\iiseula.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.com/CAB/...B?37923.4771875
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

BC AdBot (Login to Remove)

 


#2 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:08:01 PM

Posted 14 December 2004 - 01:27 PM

Please download and run this new tool from Symantec:

http://securityresponse.symantec.com/avcen...moval.tool.html
Follow Symantec's instructions for how to run it.

When the removal process is finished you will find a log on your Desktop . Don't delete it. Please copy & paste the contents of the log as a reply to this post.


You are running an outdated version of HijackThis.. Delete the copy you have and download the latest version of HijackThis!: Download here HJT 1.98.2. Save it on your Desktop. You will need now to unzip hijackthis.exe to a permanent folder, such as c:\hjt . This has to be done as HijackThis creates backups. You may need to use these backups.

First create a new folder:
A. Click My Computer icon on your desktop
B. Click C: drive
C. Click the File menu --> New --> Folder, a folder "New folder" will be created.
D. Rename it HJT

Unzip hijackthis.exe to the c:\HJT folder.

Please post a new hijackthis log.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#3 rabyrd

rabyrd
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:09:01 PM

Posted 17 December 2004 - 05:00 PM

Symantec Trojan.Vundo Removal Tool 1.2.4

C:\Documents and Settings\Craig Cantrell: (not scanned)
C:\Documents and Settings\Dan: (not scanned)
C:\System Volume Information: (not scanned)
C:\WINDOWS\Temp\spbil.dat: (deleted)
Deleted the value "Active State" from the registry key
"HKEY_USERS\S-1-5-21-343818398-854245398-682003330-1003\Software\Microsoft\Internet Explorer\Main".
Deleted the registry key
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{55E301E5-BA44-4095-BB0B-14E0123CCF71}".


Trojan.Vundo has been successfully removed from your computer!

Here is the report:

The total number of the scanned files: 22710
The number of deleted files: 1
The number of viral threads terminated: 0
The number of registry entries fixed: 2

#4 rabyrd

rabyrd
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:09:01 PM

Posted 17 December 2004 - 05:37 PM

Symantec Trojan.Vundo Removal Tool 1.2.4

C:\Documents and Settings\Administrator\My Documents: (not scanned)
C:\Documents and Settings\Craig Cantrell\Local Settings\Temp\aluerba.dat: (deleted)
C:\Documents and Settings\Craig Cantrell\Local Settings\Temp\codlld.dat: (deleted)
C:\Documents and Settings\Craig Cantrell\Local Settings\Temp\moc.dat: (deleted)
C:\Documents and Settings\Craig Cantrell\Local Settings\Temp\salitu.dat: (deleted)
C:\Documents and Settings\Craig Cantrell\Local Settings\Temp\spbil.dat: (deleted)
C:\Documents and Settings\Craig Cantrell\Local Settings\Temp\temp.frB1E4: (deleted)
C:\Documents and Settings\Craig Cantrell\Local Settings\Temp\wrvs.dat: (deleted)
C:\Documents and Settings\Dan: (not scanned)
C:\System Volume Information: (not scanned)

Trojan.Vundo has been successfully removed from your computer!

Here is the report:

The total number of the scanned files: 24661
The number of deleted files: 7
The number of viral threads terminated: 0
The number of registry entries fixed: 0

#5 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:08:01 PM

Posted 17 December 2004 - 07:29 PM

OK, and the hijackthis log ? Your log is not clean.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#6 rabyrd

rabyrd
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:09:01 PM

Posted 18 December 2004 - 11:06 AM

Logfile of HijackThis v1.99.0
Scan saved at 3:53:19 PM, on 12/17/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thebac.org/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thebac.org
O1 - Hosts: com
O1 - Hosts: com
O1 - Hosts: .com
O1 - Hosts: .com
O1 - Hosts: .com
O1 - Hosts: .com
O1 - Hosts: d.com
O1 - Hosts: com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [*iiseula] C:\WINDOWS\Tasks\iiseula.exe
O4 - HKLM\..\Run: [*binmain] C:\WINDOWS\addins\binmain.exe
O4 - HKLM\..\Run: [*regac] C:\WINDOWS\system\regac.exe
O4 - HKLM\..\Run: [*sav] C:\WINDOWS\Fonts\sav.exe
O4 - HKLM\..\Run: [*mccab] C:\WINDOWS\Fonts\mccab.exe
O4 - HKLM\..\Run: [*antis] C:\WINDOWS\Fonts\antis.exe
O4 - HKLM\..\Run: [*dlldoc] C:\WINDOWS\AppPatch\dlldoc.exe
O4 - HKLM\..\Run: [*libps] C:\WINDOWS\security\logs\libps.exe
O4 - HKLM\..\Run: [*utilas] C:\WINDOWS\Fonts\utilas.exe
O4 - HKLM\..\Run: [*com] C:\WINDOWS\Fonts\com.exe
O4 - HKLM\..\Run: [*svrw] C:\WINDOWS\Registration\svrw.exe
O4 - HKLM\..\Run: [*iisip] C:\WINDOWS\msagent\chars\iisip.exe
O4 - HKLM\..\Run: [*logwave] C:\WINDOWS\Registration\logwave.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iiseula] C:\WINDOWS\Tasks\iiseula.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O23 - Service: AVSync Manager - Networks Associates Technologies, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: McAfee Firewall - Networks Associates, Inc. - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
O23 - Service: McShield - Unknown - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe

Please help

#7 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:08:01 PM

Posted 18 December 2004 - 01:44 PM

rabyrd

When responding to a post from one of our HJT Team members, please reply in the same topic - click the Add Reply button. Do not create a new topic for your reply. This will cause confusion and a delay in the help you are receiving.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#8 rabyrd

rabyrd
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:09:01 PM

Posted 20 December 2004 - 12:26 PM

Please accept my apology for any confusion I may have caused. Thanks for your help

#9 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:08:01 PM

Posted 20 December 2004 - 01:08 PM

Could you please post a fresh log :thumbsup:
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#10 rabyrd

rabyrd
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:09:01 PM

Posted 20 December 2004 - 03:14 PM

Logfile of HijackThis v1.99.0
Scan saved at 1:12:21 PM, on 12/20/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thebac.org/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thebac.org
O1 - Hosts: com
O1 - Hosts: com
O1 - Hosts: .com
O1 - Hosts: .com
O1 - Hosts: .com
O1 - Hosts: .com
O1 - Hosts: d.com
O1 - Hosts: com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [*iiseula] C:\WINDOWS\Tasks\iiseula.exe
O4 - HKLM\..\Run: [*binmain] C:\WINDOWS\addins\binmain.exe
O4 - HKLM\..\Run: [*regac] C:\WINDOWS\system\regac.exe
O4 - HKLM\..\Run: [*sav] C:\WINDOWS\Fonts\sav.exe
O4 - HKLM\..\Run: [*mccab] C:\WINDOWS\Fonts\mccab.exe
O4 - HKLM\..\Run: [*antis] C:\WINDOWS\Fonts\antis.exe
O4 - HKLM\..\Run: [*dlldoc] C:\WINDOWS\AppPatch\dlldoc.exe
O4 - HKLM\..\Run: [*libps] C:\WINDOWS\security\logs\libps.exe
O4 - HKLM\..\Run: [*utilas] C:\WINDOWS\Fonts\utilas.exe
O4 - HKLM\..\Run: [*com] C:\WINDOWS\Fonts\com.exe
O4 - HKLM\..\Run: [*svrw] C:\WINDOWS\Registration\svrw.exe
O4 - HKLM\..\Run: [*iisip] C:\WINDOWS\msagent\chars\iisip.exe
O4 - HKLM\..\Run: [*logwave] C:\WINDOWS\Registration\logwave.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iiseula] C:\WINDOWS\Tasks\iiseula.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O23 - Service: AVSync Manager - Networks Associates Technologies, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: McAfee Firewall - Networks Associates, Inc. - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
O23 - Service: McShield - Unknown - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe

#11 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:08:01 PM

Posted 20 December 2004 - 04:38 PM

Hi :thumbsup:

Download System Security Suite here:
System Security Suite Download & Tutorial. Unzip it to your desktop.
Install the program. Don't use it yet.

Please print or copy these instructions because you are not able to access the Internet in SafeMode.

Make sure you are set to show hidden files and folders:
A. On the Tools menu in Windows Explorer, click Folder Options.
B. Click the View tab.
C. Under Hidden files and folders, click Show hidden files and folders.
D. Uncheck Hide extensions for known filetypes and Hide protected operating system files.
How to see hidden files in Windows

REBOOT into SafeMode by tapping F8 key repeatedly at bootup: Starting your computer in Safe mode

Run HijackThis!, press Scan, and put a check mark next to all these:

O1 - Hosts: com
O1 - Hosts: com
O1 - Hosts: .com
O1 - Hosts: .com
O1 - Hosts: .com
O1 - Hosts: .com
O1 - Hosts: d.com
O1 - Hosts: com

O4 - HKLM\..\Run: [*iiseula] C:\WINDOWS\Tasks\iiseula.exe
O4 - HKLM\..\Run: [*binmain] C:\WINDOWS\addins\binmain.exe
O4 - HKLM\..\Run: [*regac] C:\WINDOWS\system\regac.exe
O4 - HKLM\..\Run: [*sav] C:\WINDOWS\Fonts\sav.exe
O4 - HKLM\..\Run: [*mccab] C:\WINDOWS\Fonts\mccab.exe
O4 - HKLM\..\Run: [*antis] C:\WINDOWS\Fonts\antis.exe
O4 - HKLM\..\Run: [*dlldoc] C:\WINDOWS\AppPatch\dlldoc.exe
O4 - HKLM\..\Run: [*libps] C:\WINDOWS\security\logs\libps.exe
O4 - HKLM\..\Run: [*utilas] C:\WINDOWS\Fonts\utilas.exe
O4 - HKLM\..\Run: [*com] C:\WINDOWS\Fonts\com.exe
O4 - HKLM\..\Run: [*svrw] C:\WINDOWS\Registration\svrw.exe
O4 - HKLM\..\Run: [*iisip] C:\WINDOWS\msagent\chars\iisip.exe
O4 - HKLM\..\Run: [*logwave] C:\WINDOWS\Registration\logwave.exe

O4 - HKLM\..\Run: [iiseula] C:\WINDOWS\Tasks\iiseula.exe

Close all other windows and browsers, and press the Fix Checked button.

Search for these files and delete them if found:
C:\WINDOWS\Tasks\iiseula.exe <-- this file

With all windows and browsers closed.
Clean out temporary and Temporary Internet Files.
A. Open System Security Suite.
B. In the Items to Clear tab thick:
- Internet Explorer (left pane): Cookies & Temporary files
- My Computer (right pane): Temporary files & Recycle Bin
Press the Clear Selected Items button.
Close the program.

REBOOT normally.

Run HijackThis! again and post a new log please.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#12 rabyrd

rabyrd
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:09:01 PM

Posted 21 December 2004 - 01:35 PM

Logfile of HijackThis v1.99.0
Scan saved at 3:45:08 PM, on 12/20/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thebac.org/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thebac.org
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O23 - Service: AVSync Manager - Networks Associates Technologies, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: McAfee Firewall - Networks Associates, Inc. - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
O23 - Service: McShield - Unknown - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe

#13 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:08:01 PM

Posted 22 December 2004 - 04:52 AM

Log looks clean...great job ! :thumbsup:

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

How did I get infected ? With steps so it does not happen again !

Glad I was able to help.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#14 rabyrd

rabyrd
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:09:01 PM

Posted 22 December 2004 - 10:47 AM

Have been struggling with this for a couple of months. Many thanks.
Regards,

#15 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:08:01 PM

Posted 22 December 2004 - 01:35 PM

You're Welcome ! Happy holiday :thumbsup:

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users